AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-07-01 · Documentation medium

File: cognito/latest/developerguide/token-endpoint.md

Summary

Clarified usage of aws_client_metadata in M2M flows and updated trigger version requirements

Security assessment

Enhances documentation about secure handling of client metadata in machine-to-machine authorization flows. Specifies version requirements but does not address a specific security vulnerability.

Diff

diff --git a/cognito/latest/developerguide/token-endpoint.md b/cognito/latest/developerguide/token-endpoint.md
index 9e79e7ff9..c2121e5d6 100644
--- a//cognito/latest/developerguide/token-endpoint.md
+++ b//cognito/latest/developerguide/token-endpoint.md
@@ -136 +136 @@ _Optional._
-Information that you want to pass to the [Pre token generation Lambda trigger](./user-pool-lambda-pre-token-generation.html). Your application can collect context information about the user or machine session and pass it in this parameter. When you pass `aws_client_metadata` in URL-encoded JSON format, Amazon Cognito includes it in the input event to your trigger Lambda function. Your pre token trigger event version or global Lambda trigger version must be configured for version two or later.
+Information that you want to pass to the [Pre token generation Lambda trigger](./user-pool-lambda-pre-token-generation.html) in [machine-to-machine (M2M)](./cognito-user-pools-define-resource-servers.html) authorization flows. Your application can collect context information about the session and pass it in this parameter. When you pass `aws_client_metadata` in URL-encoded JSON format, Amazon Cognito includes it in the input event to your trigger Lambda function. Your pre token trigger event version or global Lambda trigger version must be configured for version three or later. Although Amazon Cognito accepts requests to this endpoint in authorization code and client credentials M2M flows, your user pool only passes `aws_client_metadata` to the pre token generation trigger from client credentials requests.